What’s in a Jelly Bean: is Android 4.1 going to help with BYOD?

Google recently announced Android 4.1 ‘Jelly Bean’ at its I/O conference in San Francisco. The latest flavor of the world’s #1 mobile OS promises better user experience and sexier UI. But does it really make any easier for IT to secure and manage those personal devices used for work?

Generally speaking, 4.1 is an incremental release that takes Android one step closer to Apple iOS, which has been in the market for 5 years now. From a corporate IT perspective, nothing is dramatically different or better.

The many improvements are all consumer-oriented and mostly pertain to usability and overall end-user experience – key is the new extended vsync timing. From a BYOD perspective, not much has changed either. In fact, there are new reasons to worry about the potential security implications of some of the new consumer-oriented features related to Wi-Fi connectivity and data exchange. These include Wi-Fi Direct, a technology that lets apps discover and pair directly, over a high-bandwidth peer-to-peer connection and the Android Beam that allows Bluetooth data transfers from one device to another triggered by NFC.

On the other hand, IT managers will welcome the new Network Bandwidth Management API and the Smart App Updates functionality. The Network Bandwidth Management enhanced functionality may help corporate IT curb mobile data costs when the device is connected to a metered (read commercial) network, including tethering to a mobile hotspot. Apps can query whether the current network is metered before beginning a large download that might otherwise be relatively expensive to the user. However, this new API requires Mobile Device Management (MDM) and/or Telecom Expense Management (TEM) integration to get a clear picture of which networks are sensitive to data usage and to manage the network activity accordingly. In addition, the Smart App Updates technology, which makes app updates smaller, and thus faster and cheaper to download, may also help the overall system security by increasing the likelihood that individual end-users will keep their apps up-to-date.

Among the announced new features, two in particular may have a direct impact on security:

App Encryption: When integrated with Google Play, this new feature protect application assets by encrypting all paid apps with a device-specific key before they are delivered and stored on a device. This is more about protecting apps developers from illegal downloads than addressing the legitimate corporate concern about data losses caused by consumer mobile devices connecting to corporate networks. In fact, App Encryption applies only to the application code itself and only if downloaded from the Google official app store. As a side effect, this new technology may actually make more difficult to develop and run independent mobile app reputation services – such as the one offered by Trend Micro – that scan for the multitude of malware affecting all Android stores – Google’s Play included. At the same time, it may also make more difficult for hackers to reverse engineer legit apps to inject malicious code.

PDK: the Android Platform Developer’s Kit is the hardware equivalent for OEMs of the software SDK for app developers. Usually SDK’s are released months ahead of product launches because platform vendors want apps developers to make as many apps as possible available for the day of the launch – or soon after. This is a good step in the right direction. But I am skeptical about its actual effect on Android fragmentation, which is mostly driven by the business need to differentiate otherwise commodity products rather than mere technical reasons. Let’s not forget in fact that OEMs – and wireless operators too – have all the interest to get people to buy new devices rather than upgrade to a new version of the OS the ones they already own.

Once more, it appears that Google prioritizes consumer requirements over security and manageability. And that’s what you would expect from one of the most successful consumer brands on the planet. It’s fair to say that, despite some enterprise-grade security and management capabilities creeping into the Android platform over time, the primary target for Google – as well as for the many Android OEMs – is the consumer segment. The focus is on attributes like design, form factor and sleek user interfaces, not encryption, VPN, or MDM support. And unfortunately for the many IT managers cooping with disruptive IT trends such as Consumerization and BYOD, there is still no evidence that this is going to change any time soon.

One Response to What’s in a Jelly Bean: is Android 4.1 going to help with BYOD?

Tend to agree with your analysis. Also worth pointing out that offline content management was talked about frequently by the Google presenters. Expect ‘offline content’ to be a surface attack area for malware authors.

About Cesare Garlati

This is my personal blog about disruptive technology trends such as mobile, cloud and the Internet of things. It's full of my reasoned opinions, some of which will turn out to be absolutely wrong. You should not rely on anything in this blog for any reason other than for amusement.

This blog occasionally quotes excerpts from other publications, in which case it is done under Fair Use. I despise copyright trolls and think the EFF is due for sainthood any day now.

I am an active member of the Cloud Security Alliance, RISC-V and prpl Foundation: some of my writing will appear here too if it's relevant. The opinions here are mine and mine alone, and are not representative of any professional organizations I belong to.